Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.00234
Percentile: 0.46235

CVSS Scoring

Mapped CWE(s)

• CWE-639 : Authorization Bypass Through User-Controlled Key

Affected Products

• cpe:2.3:a:instructure:canvas_learning_management_service:*:*:*:*:*:*:*:*

← Back to Home